3Com Router User Manual

							IPSec Configuration Example577
Displaying and Debugging the crypto card
Use the debugging, reset and display command in all views.
Ta b l e 655   Display and Debug NDEC Card
IPSec Configuration 
ExampleThe following sections demonstrate the following IPSec configurations:
■Creating an SA Manually
■Creating an SA in IKE Negotiation Mode
■Encrypting, Decrypting, and Authenticating NDEC Cards
Creating an SA ManuallyEstablish a security tunnel between Router-A and Router-B to perform security 
protection for the data streams between PC-A represented subnet (10.1.1.x) and 
PC-B represented subnet (10.1.2.x). The security protocol adopts ESP protocol, 
algorithm adopts DES, and authentication algorithm adopts sha1-hmac-96.
OperationCommand
Display the detailed information of crypto 
cards (applicable to crypto cards)display encrypt-card details [ 
slot-id ]
Display all established Security Association 
on crypto card (applicable to crypto card)display encrypt-card ipsec sa all [ 
slot-id ]
Display a specified Security Association on 
crypto card (applicable to crypto card)display encrypt-card ipsec sa 
parameters remote-address protocol 
spi-number
Display statistical information of the 
security packets processing on crypto card 
(applicable to crypto card)display encrypt-card statistic [ 
slot-id ]
Display current operating status of crypto 
card (applicable to crypto card)display encrypt-card status [ slot-id 
]
Display current operating logging of 
crypto card (applicable to crypto card)display encrypt-card syslog [ slot-id 
]
Display version number of crypto card 
(applicable to crypto card)display encrypt-card version [ 
slot-id ]
Delete all established Security Association 
(applicable to crypto card)reset encrypt-card sa all [ slot-id ]
Delete the specified Security Association 
on crypto card (applicable to crypto card)reset encrypt-card sa parameters 
remote-address protocol spi-number
Clear the statistical information of security 
packets on crypto card (applicable to 
crypto card)reset encrypt-card statistic [ 
slot-id ]
Clear all the logging information on the 
crypto card (applicable to crypto cards)reset encrypt-card syslog [ slot-id ]
Enable the debugging of information, 
packets, SA, command, error and other 
information (applicable to crypto cards)debugging encrypt-card { all | packet 
| sa | command | error | misc } [ 
slot-id ]
Enable the debugging of the main 
software on the crypto card (applicable to 
crypto cards)debugging encrypt-card host { all | 
packet | sa | command | error | misc 
} 
						

							578CHAPTER 40: CONFIGURING IPSEC 
Figure 174   Networking diagram of manually creating SA
Prior to the configuration, you should ensure that Router A and Router B can 
interwork at the network layer through a serial interface.
1Configure Router A:
aConfigure an access list and define the data stream from Subnet 10.1.1x to 
Subnet 10.1.2x.
[RouterA] acl 101 permit 
[RouterA-acl-101] rule permit ip source 10.1.1.0 0.0.0.255 
destination 10.1.2.0 0.0.0.255
[RouterA-acl-101] rule deny ip source any destination any
bCreate the IPSec proposal view named tran1
[RouterA] ipsec proposal tran1
cAdopt tunnel mode as the message-encapsulating form
[RouterA-ipsec-proposal-tran1] encapsulation-mode tunnel
dAdopt ESP protocol as security protocol
[RouterA-ipsec-proposal-tran1] transform esp-new
eSelect authentication algorithm and encryption algorithm
[RouterA-ipsec-proposal-tran1] esp-new encryption-algorithm des
[RouterA-ipsec-proposal-tran1] esp-new authentication-algorithm 
sha1-hmac-96
fCreate a security policy with negotiation view as manual
[RouterA] ipsec policy policy1 10 manual
gQuote access list
[RouterA-ipsec-policy-policy1-10] security acl 101
hQuote IPSec proposal
[RouterA-ipsec-policy-policy1-10] proposal tran1
iSet local and remote addresses
[RouterA-ipsec-policy-policy1-10] tunnel local 202.38.163.1
[RouterA-ipsec-policy-policy1-10] tunnel remote 202.38.162.1
jSet SPI
[RouterA-ipsec-policy-policy1-10] sa outbound esp spi 12345
[RouterA-ipsec-policy-policy1-10] sa inbound esp spi 54321
kSet session key
[RouterA-ipsec-policy-policy1-10] sa outbound esp string-key abcdefg
[RouterA-ipsec-policy-policy1-10] sa inbound esp string-key gfedcba
PC APC B
Internet
10.1.1.210.1.1.1
s0:202.38.163.1s0:202.38.162.1
10.1.2.2 10.1.2.1
Router A Router B 
						

							IPSec Configuration Example579
lApply security policy group on serial interface
[RouterA]interface serial 0
[RouterA-Serial0] ipsec policy policy1
[RouterA-Serial0] ip address 202.38.163.1 255.255.255.0
mConfigure the route.
[RouterA] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1
2Configure Router B:
aConfigure an access list and define the data stream from Subnet 10.1.2x to 
Subnet 10.1.1x.
[RouterB] acl 101
[RouterB-acl-101] rule permit ip source 10.1.2.0 0.0.0.255 
destination 10.1.1.0 0.0.0.255
[RouterB-acl-101] rule deny ip source any destination any
bCreate the IPSec proposal view named tran1
[RouterB] ipsec proposal tran1
cAdopt tunnel mode as the message-encapsulating form
[RouterB-ipsec-proposal-tran1] encapsulation-mode tunnel
dAdopt ESP protocol as security protocol
[RouterB-ipsec-proposal-tran1] transform esp-new
eSelect authentication algorithm and encryption algorithm
[RouterB-ipsec-proposal-tran1] esp-new encryption-algorithm des
[RouterB-ipsec-proposal-tran1] esp-new authentication-algorithm 
sha1-hmac-96
fCreate a security policy with negotiation mode as manual
[RouterB] ipsec policy use1 10 manual
gQuote access list
[RouterB-ipsec-policy-use1-10] security acl 101
hQuote IPSec proposal
[RouterB-ipsec-policy-use1-10] proposal tran1
iSet local and remote addresses
[RouterB-ipsec-policy-use1-10] tunnel local 202.38.162.1
[RouterB-ipsec-policy-use1-10] tunnel remote 202.38.163.1
jSet SPI 
[RouterB-ipsec-policy-use1-10] sa outbound esp spi 54321
[RouterB-ipsec-policy-use1-10] sa inbound esp spi 12345
kSet session key
[RouterB-ipsec-policy-use1-10] sa outbound esp string-key gfedcba 
[RouterB-ipsec-policy-use1-10] sa inbound esp string-key abcdefg
lExit to system view
[RouterB-ipsec-policy-use1-10] quit
mEnter serial interface view
[RouterB] interface serial 0
nApply security policy group on serial interface 
						

							580CHAPTER 40: CONFIGURING IPSEC 
[RouterB-Serial0] ipsec policy use1
[RouterB-Serial0] ip address 202.38.162.1 255.255.255.0
oConfigure the route.
[RouterB] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1
After the configuration is complete and the security tunnel between Router A and 
Router B is established, the data stream between Subnet 10.1.1.x and Subnet 
10.1.2.x will be transmitted with encryption.
Creating an SA in IKE 
Negotiation ModeEstablish a security tunnel between Router A and Router B to perform security 
protection for the data streams between PC-A represented subnet (10.1.1.x) and 
PC-B represented subnet (10.1.2.x). The security protocol adopts ESP protocol, 
algorithm adopts DES, and authentication algorithm adopts sha1-hmac-96. See 
Figure 174 for an illustration of the configuration.
Prior to configuring, you should ensure that Router A and Router B can interwork 
at the network layer through a serial interface.
1Configure Router A:
aConfigure an access list and define the data stream from Subnet 10.1.1x to 
Subnet 10.1.2x.
[RouterA] acl 101 
[RouterA-acl-101] rule permit ip source 10.1.1.0 0.0.0.255 
destination 10.1.2.0 0.0.0.255
[RouterA-acl-101] rule deny ip source any destination any
bCreate the IPSec proposal view named trans1
[RouterA] ipsec proposal tran1
cAdopt tunnel mode as the message-encapsulating form
[RouterA-ipsec-proposal-tran1] encapsulation-mode tunnel
dAdopt ESP protocol as security protocol
[RouterA-ipsec-proposal-tran1] transform esp-new
eSelect authentication algorithm and encryption algorithm
[RouterA-ipsec-proposal-tran1] esp-new encryption-algorithm des
[RouterA-ipsec-proposal-tran1] esp-new authentication-algorithm 
sha1-hmac-96
fCreate a security policy with negotiation mode as isakmp
[RouterA] ipsec policy policy1 10 isakmp
gSet remote addresses
[RouterA-ipsec-policy-policy1-10] tunnel remote 202.38.162.1
hQuote IPSec proposal
[RouterA-ipsec-policy-policy1-10] proposal tran1
iQuote access list
[RouterA-ipsec-policy-policy1-10] security acl 101
jExit to system view
[RouterA-ipsec-policy-policy1-10] quit
kEnter serial interface view 
						

							IPSec Configuration Example581
[RouterA]interface serial 0
lConfigure ip address of the serial interface
[RouterA-Serial0] ip address 202.38.163.1 255.255.255.0
mApply security policy group on serial interface
[RouterA-Serial0] ipsec policy policy1
nConfigure the route.
[RouterA] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1
oConfigure corresponding IKE
[RouterA] ike pre-shared-key abcde remote 202.38.162.1
2Configure Router B:
aConfigure an access list and define the data stream from Subnet 10.1.2x to 
Subnet 10.1.1x.
[RouterB] acl 101
[RouterB-acl-101] rule permit ip source 10.1.2.0 0.0.0.255 
destination 10.1.1.0 0.0.0.255
[RouterB-acl-101] rule deny ip source any destination any
bCreate the IPSec proposal view named trans1
[RouterB] ipsec proposal tran1
cAdopt tunnel mode as the message-encapsulating form
[RouterB-ipsec-proposal-tran1] encapsulation-mode tunnel
dAdopt ESP protocol as security protocol
[RouterB-ipsec-proposal-tran1] transform esp-new
eSelect authentication algorithm and encryption algorithm
[RouterB-ipsec-proposal-tran1] esp-new encryption-algorithm des
[RouterB-ipsec-proposal-tran1] esp-new authentication-algorithm 
sha1-hmac-96
fCreate a security policy with negotiation view as isakmp
[RouterB] ipsec policy use1 10 isakmp
gQuote access list
[RouterB-crypto-map-use1-10]match address 101
hSet remote address
[RouterB-ipsec-policy-policy1-10] security acl 101
iQuote IPSec proposal
[RouterB-ipsec-policy-policy1-10] proposal tran1
jConfigure serial interface Serial0
[RouterB] interface serial 0
[RouterB-Serial0] ip address 202.38.162.1 255.255.255.0
kApply security policy group on serial interface
[RouterB-Serial0] ipsec policy use1
lConfigure the route.
[RouterB] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1 
						

							582CHAPTER 40: CONFIGURING IPSEC 
mConfigure corresponding IKE
[RouterB] ike pre-shared-key abcde remote 202.38.163.1
After the above configurations are completed, if the messages between Subnet 
10.1.1.x and Subnet 10.1.2x transmits between Router-A and Router-B, IKE will be 
triggered to negotiate to establish SA. After IKE negotiates successfully and SA is 
established, the data stream between Subnet 10.1.1.x and Subnet 10.1.2.x will be 
transmitted with encryption.
Encrypting, Decrypting,
and Authenticating 
NDEC CardsEstablish a security tunnel between Router A and Router B to conduct security 
protection to data stream between subnet (10.1.1.x) represented by PC A and 
subnet (10.1.2.x) represented by PC B. It is to establish security association with 
manual method. The security protocol adopts ESP protocol, and the encryption 
algorithm adopts DES, and the authentication algorithm adopts sha1-hmac-96. 
Figure 175   Establish networking diagram of security tunnel using crypto cards
1Configure Router A
aConfigure an access list and define a data stream from subnet 10.1.1.x to 
subnet 10.1.1.2.x.
[RouterA] acl 101 permit 
[RouterA-acl-101] rule permit ip source 10.1.1.0 0.0.0.255 
destination 10.1.2.0 0.0.0.255
[RouterA-acl-101] rule deny ip source any destination any
bEstablish proposal view of crypto card in the name of tran1.
[RouterA] crypto ipsec card-proposal tran1
cAdopt tunnel module for packets encapsulation form.
[RouterA-ipsec-card-proposal-tran1] encapsulation-mode tunnel
dAdopt ESP protocol for security protocol
[RouterA-ipsec-card-proposal-tran1] transform esp-new
eSelect algorithm
[RouterA-ipsec-card-proposal-tran1] esp-new encryption-algorithm des
[RouterA-ipsec-card-proposal-tran1] esp-new authentication-algorithm 
sha1-hmac-96
fReturn to system view.
[RouterA-ipsec-card-proposal-tran1] quit
gEstablish a security policy with manual negotiation mode.
[RouterA] ipsec policy policy1 10 manual
hQuote access list.
PC A
PC B
Internet
10.1.1.2e0 10.1.1.1
s0
202.38.163.1s0
202.38.162.1
10.1.2.2 e0 10.1.2.1
Router A
Router B 
						

							IPSec Configuration Example583
[RouterA-ipsec-policy-policy1-10] security acl 101
iSet remote address.
[RouterA-ipsec-policy-policy1-10] tunnel remote 202.38.162.1 
jSet local address.
[RouterA-ipsec-policy-policy1-10] tunnel local 202.38.163.1
kQuote IPSec proposal.
[RouterA-ipsec-policy-policy1-10] proposal tran1
lSet SPI.
[RouterA-ipsec-policy-policy1-10] sa outbound esp spi 12345
[RouterA-ipsec-policy-policy1-10] sa inbound esp spi 54321
mSet encryption key.
[RouterA-ipsec-policy-policy1-10] sa outbound esp string-key abcdefg
[RouterA-ipsec-policy-policy1-10] sa inbound esp string-key gfedcba
nReturn to system view.
[RouterA-ipsec-policy-policy1-10] quit
oEnter Ethernet interface view and configure IP address.
[RouterA-Ethernet0] ip address 10.1.1.1 255.255.255.0
[RouterA-Ethernet0] quit
pEnter serial port configuration mode and configure IP address.
[RouterA] interface serial 0
[RouterA-Serial0] ip address 202.38.163.1 255.255.255.0
qReturn to system view and configure the static routing to network segment 
10.1.2.x.
[RouterA-Serial0] quit
[RouterA] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1
rApply security policy base on serial port.
[RouterA-Serial0] ipsec policy policy1
2Configure Router B
aConfigure an access list and define a data stream from subnet 10.1.2.x to 
subnet 10.1.1.x.
[RouterB] acl 100
[RouterB-acl-100] rule permit ip source 10.1.2.0 0.0.0.255 
destination 10.1.1.0 0.0.0.255
[RouterB-acl-100] rule deny ip source any destination any
bEstablish IPSec proposal in the name of tran1.
[RouterB] ipsec card-proposal tran1
cAdopt tunnel module for packets encapsulation.
[RouterB-ipsec-card-proposal-tran1] encapsulation-mode tunnel
dAdopt ESP protocol for security protocol.
[RouterB-ipsec-card-proposal-tran1] transform esp-new
eSelect algorithm.
[RouterB-ipsec-card-proposal-tran1] esp-new encryption-algorithm des 
						

							584CHAPTER 40: CONFIGURING IPSEC 
[RouterB-ipsec-card-proposal-tran1] esp-new authentication-algorithm 
sha1-hmac-96
fReturn to system view.
[RouterB-ipsec-card-proposal-tran1] quit
gEstablish a security policy with manual configuration mode.
[RouterB] ipsec policy map1 10 manual
hQuote access list.
[RouterB-ipsec-policy-map1-10] security acl 100
iSet remote address.
[RouterB-ipsec-policy-map1-10] tunnel remote 202.38.163.1
jSet local address.
[RouterB-ipsec-policy-map1-10] tunnel local 202.38.162.1
kQuote IPSec proposal.
[RouterB-ipsec-policy-map1-10] proposal tran1
lSet SPI.
[RouterB-ipsec-policy-map1-10] sa outbound esp spi 54321
[RouterB-ipsec-policy-map1-10] sa inbound esp spi 12345
mSet encryption key.
[RouterB-ipsec-policy-map1-10] sa outbound esp string-key gfedcba
[RouterB-ipsec-policy-map1-10] sa inbound esp string-key abcdefg
nReturn to the system view.
[RouterB-ipsec-policy-map1-10] quit
oEnter Ethernet port configuration mode and configure IP address.
[RouterB-Ethernet0] ip address 10.1.2.1 255.255.255.0
[RouterB-Ethernet0] quit
pEnter serial port configuration mode and configure IP address.
[RouterB] interface serial 0
[RouterB-Serial0] ip address 202.38.162.1 255.255.255.0
qReturn to system view and configure static routing to network segment 
10.1.1.x.
[RouterB-Serial0] quit
[RouterB] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1
rApply security policy base on serial port.
[RouterB-Serial0] ipsec policy map1
Troubleshooting IPSec NDEC card cannot be configured.
When configuring relevant commands of crypto card, the following message 
displays: No valid encrypt-card. 
						

							Troubleshooting IPSec 585
Do the following:
■Display the plugging conditions of the crypto card to check whether the crypto 
card was plugged in correctly. Under normal condition, the “run” indicator of 
the crypto card will blink normally (one second on, one second off).
■Use the display encrypt-card version command to check the crypto card 
status. It shall display the card and version condition of the crypto card under 
normal conditions. If nothing displayed, it means that the host does not detect 
the crypto card. The crypto card may be enabled (“run” indicator blinks 
quickly). If 5 seconds later the crypto card is still enabled, the router may be 
restarted (it must be noted that the configuration of the router must be saved 
first).
Routers cannot ping through each other after IPSec configuration
Do the following:
■Check whether security policy was applied on the interface. Use the display 
current-configuration interface
 command to check whether it is 
configured policy on the interface. It shall display configuration policy under 
normal condition. If no policy is configured, map shall be configured under 
interface view.
■Check the matching of the security policy. If the security policy map was 
established manually, the local and remote address of the security association 
must be correct and the parameters of security association must be identified. 
After changing the parameters of security association, it is necessary to delete 
the security policy map and then to re-apply security policy map.
■Check the identity of the security protocol. For security policy established 
manually, the security protocol selected by the IPSec proposal of the both ends 
of the router shall be the same.
■Check Access Control List. If no problem was found through above check 
procedure, or the problem is not eliminated after correcting the above 
checkup, the access control list may be checked. Check whether the access 
control list allows both interconnection parties to pass.
■Check the hardware link. If the problem cannot be eliminated through above 
methods, please check whether the hardware link is normal or not. 
						

							586CHAPTER 40: CONFIGURING IPSEC